Information Systems Acquisition, Development and Maintenance:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
(New page: ==Security requirements of information systems== The objective of this category is to ensure that security is an integral part of the organization's information systems, and of the busines...)
 
No edit summary
Line 2: Line 2:
The objective of this category is to ensure that security is an integral part of the organization's information systems, and of the business processes associated with those systems.<br>
The objective of this category is to ensure that security is an integral part of the organization's information systems, and of the business processes associated with those systems.<br>
<br>
<br>
'''Security requirements analysis and specification'''<br>
===Security requirements analysis and specification===
<br>
Statements of business requirements for new information systems, or enhancements to existing information systems should include specification of the requirements for security controls.<br>
Statements of business requirements for new information systems, or enhancements to existing information systems should include specification of the requirements for security controls.<br>
<br>
<br>
'''Control includes:'''<br>
'''Control includes:'''<br>
<br>
<br>
* consideration of business value of and legal-regulatory-certificatory standards for information assets affected by the new/changed system(s);
* Consideration of business value of and legal-regulatory-certificatory standards for information assets affected by the new or changed system(s)
* consideration of administrative, technical and physical controls available to support security for the system(s);
* Consideration of administrative, technical and physical controls available to support security for the system(s)
* integration of  these controls early in system design and requirements specification; and
* Integration of  these controls early in system design and requirements specification
* a formal plan for testing and acceptance, including independent evaluation where appropriate.
* A formal plan for testing and acceptance, including independent evaluation where appropriate
<br>
'''Correct processing in applications'''<br>
<br>
<br>
===Correct processing in applications===
This category aims to prevent errors, loss, unauthorized modification or misuse of information in applications.<br>
This category aims to prevent errors, loss, unauthorized modification or misuse of information in applications.<br>
<br>
<br>
'''Input data validation'''<br>
===Input data validation===
<br>
Data input in applications should be validated to ensure that the data is correct and appropriate.<br>
Data input in applications should be validated to ensure that the data is correct and appropriate.<br>
<br>
<br>
'''Control includes:'''<br>
'''Control includes:'''<br>
<br>
<br>
* use of both automatic and manual methods of data verification and cross-checking, as appropriate; and
* Use of both automatic and manual methods of data verification and cross-checking, as appropriate
* defined responsibilities and processes for responding to detected errors.<br>
* Defined responsibilities and processes for responding to detected errors<br>
<br>
<br>
Control of internal processing Validation checks should be incorporated into applications to detect the corruption of of information through processing errors or deliberate acts.<br>
===Control of internal processing===
Validation checks should be incorporated into applications to detect the corruption of of information through processing errors or deliberate acts.<br>
<br>
<br>
'''Control includes:'''<br>
'''Control includes:'''<br>
<br>
<br>
* use of both automatic and manual methods of data verification and cross-checking, as appropriate; and
* Use of both automatic and manual methods of data verification and cross-checking, as appropriate
* defined responsibilities and processes for responding to detected errors.<br>
* Defined responsibilities and processes for responding to detected errors<br>
<br>
<br>
'''Message integrity'''<br>
===Message integrity===
Requirements for ensuring authenticity and protecting message integrity in applications should be identified, and appropriate controls identified and implemented.<br>
Requirements for ensuring authenticity and protecting message integrity in applications should be identified, and appropriate controls identified and implemented.<br>
<br>
<br>
'''Output data validation'''<br>
===Output data validation===
<br>
Data output from applications should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances.<br>
Data output from applications should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances.<br>
<br>
<br>
'''Control includes:'''<br>
'''Control includes:'''<br>
<br>
<br>
* use of both automatic and manual methods of data verification and cross-checking, as appropriate; and
* Use of both automatic and manual methods of data verification and cross-checking, as appropriate
* defined responsibilities and processes for responding to detected errors.<br>
* Defined responsibilities and processes for responding to detected errors<br>
<br>
'''Cryptographic controls'''<br>
<br>
<br>
===Cryptographic controls===
This category aims to protect the confidentiality, integrity and authenticity of information by cryptographic means.<br>
This category aims to protect the confidentiality, integrity and authenticity of information by cryptographic means.<br>
<br>
<br>
'''Policy on the use of cryptographic controls'''<br>
===Policy on the use of cryptographic controls===
<br>
Policies on the use of cryptographic controls for protection of information should be developed and implemented.<br>
Policies on the use of cryptographic controls for protection of information should be developed and implemented.<br>
<br>
<br>
'''Control includes:'''<br>
'''Control includes:'''<br>
<br>
<br>
* statement of general principles and management approach to the use of cryptographic controls;
* Statement of general principles and management approach to the use of cryptographic controls
* specifications based on a thorough risk assessment, that considers appropriate algorithm selections, key management and other core features of cryptographic implementations;
* Specifications based on a thorough risk assessment, that considers appropriate algorithm selections, key management and other core features of cryptographic implementations
* consideration of legal restrictions on technology deployments;
* Consideration of legal restrictions on technology deployments
* application, as appropriate, to data at rest and fixed-location devices, data transported by mobile/removable media and embedded in mobile devices, and data transmitted over communications links; and
* Application, as appropriate, to data at rest and fixed-location devices, data transported by mobile or removable media and embedded in mobile devices, and data transmitted over communications links
* specification of roles and responsibilities for implementation of and the monitoring of compliance with the policy.<br>
* Specification of roles and responsibilities for implementation of and the monitoring of compliance with the policy<br>
<br>
'''Key management'''<br>
<br>
<br>
===Key management===
Key management policies and processes should be implemented to support an organization's use of cryptographic techniques.<br>
Key management policies and processes should be implemented to support an organization's use of cryptographic techniques.<br>
<br>
<br>
'''Control includes procedures for:'''<br>
'''Control includes procedures for:'''<br>
<br>
<br>
* distributing, storing, archiving and changing/updating keys
* Distributing, storing, archiving and changing and or updating keys
* recovering, revoking/destroying and dealing with compromised keys
* Recovering, revoking and or destroying and dealing with compromised keys
* logging all transactions associated with keys<br>
* Logging all transactions associated with keys<br>
<br>
<br>
==Security of System Files==
==Security of System Files==
Control objective: To ensure the security of system files.<br>
'''Control objective:'''<br>
<br>
'''Control of operational software'''<br>
<br>
<br>
To ensure the security of system files.
===Control of operational software===
Procedures should be implemented to control the installation of software on operational systems, to minimize the risk of interruptions in or corruption of information services.<br>
Procedures should be implemented to control the installation of software on operational systems, to minimize the risk of interruptions in or corruption of information services.<br>
<br>
<br>
'''Control includes:'''<br>
'''Control includes:'''<br>
<br>
<br>
* updating performed only with appropriate management authorization;
* Updating performed only with appropriate management authorization
* updating performed only by appropriately trained personnel;
* Updating performed only by appropriately trained personnel
only appropriately tested and certified software deployed to operational systems;
* Only appropriately tested and certified software deployed to operational systems
* appropriate change management and configuration control processes for all stages of updating;
* Appropriate change management and configuration control processes for all stages of updating
* appropriate documentation of the nature of the change and the processes used to implement it;
* Appropriate documentation of the nature of the change and the processes used to implement it
* a rollback strategy in place, including retention of prior versions as a contingency measure; and
* A rollback strategy in place, including retention of prior versions as a contingency measure
* appropriate audit logs maintained to track changes.<br>
* Appropriate audit logs maintained to track changes<br>  
<br>
'''Protection of system test data'''<br>
<br>
<br>
===Protection of system test data===
Test data should be selected carefully and appropriately logged, protected and controlled.<br>
Test data should be selected carefully and appropriately logged, protected and controlled.<br>
<br>
<br>
Access control for program source code Access to program source code should\ be restricted.<br>
===Access control for program source code===
Access to program source code should be restricted.<br>
<br>
<br>
'''Control includes:'''<br>
'''Control includes:'''<br>
<br>
<br>
* appropriate physical and technical safeguards for program source libraries, documentation, designs, specifications, verification and validation plans; and
* Appropriate physical and technical safeguards for program source libraries, documentation, designs, specifications, verification and validation plans
* maintenance and copying of these materials subject to strict change management and other controls.<br>
* Maintenance and copying of these materials subject to strict change management and other controls<br>
<br>
'''Security in development and support processes'''<br>
<br>
<br>
===Security in development and support processes===
This category aims to maintain the security of application system software and information.<br>
This category aims to maintain the security of application system software and information.<br>
<br>
<br>
Line 109: Line 103:
'''Control includes:'''<br>
'''Control includes:'''<br>
<br>
<br>
* a formal process of documentation, specification, testing, quality control and managed implementation;
* A formal process of documentation, specification, testing, quality control and managed implementation
* a risk assessment, analysis of actual and potential impacts of changes, and specification of any security controls required;
* A risk assessment, analysis of actual and potential impacts of changes, and specification of any security controls required
* a budgetary or other financial analysis to assess adequacy of resources;
* A budgetary or other financial analysis to assess adequacy of resources formal agreement to and approval of changes by appropriate management
formal agreement to and approval of changes by appropriate management; and
* Appropriate notification of all affected parties prior to implementation, on the nature, timing and likely impacts of the changes
* appropriate notification of all affected parties prior to implementation, on the nature, timing and likely impacts of the changes;
* Scheduling of changes to minimize the adverse impact on business processes<br>
* scheduling of changes to minimize the adverse impact on business processes.<br>
<br>
'''Technical review of applications after operating system changes'''<br>
<br>
<br>
Technical review of applications after operating system changes===
When operating systems and processes are changed, critical business processes should be reviewed and tested to ensure that there has been no adverse impact.<br>
When operating systems and processes are changed, critical business processes should be reviewed and tested to ensure that there has been no adverse impact.<br>
<br>
<br>
'''Restrictions on changes to software packages'''<br>
===Restrictions on changes to software packages===
<br>
Modifications to software packages should be discouraged, limited to necessary changes, and all changes shall be strictly controlled.<br>
Modifications to software packages should be discouraged, limited to necessary changes, and all changes shall be strictly controlled.<br>
<br>
<br>
'''Information leakage'''<br>
===Information leakage===
<br>
Opportunities for information leakage should be appropriately minimized or prevented.<br>
Opportunities for information leakage should be appropriately minimized or prevented.<br>
<br>
<br>
'''Control includes:'''<br>
'''Control includes:'''<br>
<br>
<br>
* risk assessment of the probable and possible mechanisms for information leakage, and consideration of appropriate countermeasures;
* Risk assessment of the probable and possible mechanisms for information leakage, and consideration of appropriate countermeasures
* regular monitoring of likely information leak mechanisms and sources; and
* Regular monitoring of likely information leak mechanisms and sources
* end-user awareness and training on preventive strategies (e.g., to remove meta-data in transferred files).<br>
* End-user awareness and training on preventive strategies (e.g., to remove meta-data in transferred files)<br>
<br>
'''Outsourced software development'''<br>
<br>
<br>
===Outsourced software development===
Outsourced software development should be appropriately supervised and monitored by the organization.<br>
Outsourced software development should be appropriately supervised and monitored by the organization.<br>
<br>
<br>
'''Technical vulnerability management'''<br>
===Technical vulnerability management===
<br>
This category aims to reduce risks resulting from exploitation of published technical vulnerabilities.<br>
This category aims to reduce risks resulting from exploitation of published technical vulnerabilities.<br>
<br>
<br>
'''Control of technical vulnerabilities'''<br>
===Control of technical vulnerabilities===
<br>
Timely information about technical vulnerabilities of information systems used by the organization should be obtained, evaluated in terms of organizational exposure and risk, and appropriate countermeasures taken.<br>
Timely information about technical vulnerabilities of information systems used by the organization should be obtained, evaluated in terms of organizational exposure and risk, and appropriate countermeasures taken.<br>
<br>
<br>
'''Control includes:'''<br>
'''Control includes:'''<br>
<br>
<br>
* a complete inventory of information assets sufficient to identify systems put at risk by a particular technical vulnerability;
* A complete inventory of information assets sufficient to identify systems put at risk by a particular technical vulnerability
* procedures to allow timely response to identification of technical vulnerabilities that present a risk to any of the organization's information assets, including a timeline based on the level of risk;
* Procedures to allow timely response to identification of technical vulnerabilities that present a risk to any of the organization's information assets, including a timeline based on the level of risk
* defined roles and responsibilities for implementation of countermeasures and other mitigation procedures.
* Defined roles and responsibilities for implementation of countermeasures and other mitigation procedures


==References==
==References==

Revision as of 17:33, 21 May 2007

Security requirements of information systems

The objective of this category is to ensure that security is an integral part of the organization's information systems, and of the business processes associated with those systems.

Security requirements analysis and specification

Statements of business requirements for new information systems, or enhancements to existing information systems should include specification of the requirements for security controls.

Control includes:

  • Consideration of business value of and legal-regulatory-certificatory standards for information assets affected by the new or changed system(s)
  • Consideration of administrative, technical and physical controls available to support security for the system(s)
  • Integration of these controls early in system design and requirements specification
  • A formal plan for testing and acceptance, including independent evaluation where appropriate


Correct processing in applications

This category aims to prevent errors, loss, unauthorized modification or misuse of information in applications.

Input data validation

Data input in applications should be validated to ensure that the data is correct and appropriate.

Control includes:

  • Use of both automatic and manual methods of data verification and cross-checking, as appropriate
  • Defined responsibilities and processes for responding to detected errors


Control of internal processing

Validation checks should be incorporated into applications to detect the corruption of of information through processing errors or deliberate acts.

Control includes:

  • Use of both automatic and manual methods of data verification and cross-checking, as appropriate
  • Defined responsibilities and processes for responding to detected errors


Message integrity

Requirements for ensuring authenticity and protecting message integrity in applications should be identified, and appropriate controls identified and implemented.

Output data validation

Data output from applications should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances.

Control includes:

  • Use of both automatic and manual methods of data verification and cross-checking, as appropriate
  • Defined responsibilities and processes for responding to detected errors


Cryptographic controls

This category aims to protect the confidentiality, integrity and authenticity of information by cryptographic means.

Policy on the use of cryptographic controls

Policies on the use of cryptographic controls for protection of information should be developed and implemented.

Control includes:

  • Statement of general principles and management approach to the use of cryptographic controls
  • Specifications based on a thorough risk assessment, that considers appropriate algorithm selections, key management and other core features of cryptographic implementations
  • Consideration of legal restrictions on technology deployments
  • Application, as appropriate, to data at rest and fixed-location devices, data transported by mobile or removable media and embedded in mobile devices, and data transmitted over communications links
  • Specification of roles and responsibilities for implementation of and the monitoring of compliance with the policy


Key management

Key management policies and processes should be implemented to support an organization's use of cryptographic techniques.

Control includes procedures for:

  • Distributing, storing, archiving and changing and or updating keys
  • Recovering, revoking and or destroying and dealing with compromised keys
  • Logging all transactions associated with keys


Security of System Files

Control objective:

To ensure the security of system files.

Control of operational software

Procedures should be implemented to control the installation of software on operational systems, to minimize the risk of interruptions in or corruption of information services.

Control includes:

  • Updating performed only with appropriate management authorization
  • Updating performed only by appropriately trained personnel
  • Only appropriately tested and certified software deployed to operational systems
  • Appropriate change management and configuration control processes for all stages of updating
  • Appropriate documentation of the nature of the change and the processes used to implement it
  • A rollback strategy in place, including retention of prior versions as a contingency measure
  • Appropriate audit logs maintained to track changes


Protection of system test data

Test data should be selected carefully and appropriately logged, protected and controlled.

Access control for program source code

Access to program source code should be restricted.

Control includes:

  • Appropriate physical and technical safeguards for program source libraries, documentation, designs, specifications, verification and validation plans
  • Maintenance and copying of these materials subject to strict change management and other controls


Security in development and support processes

This category aims to maintain the security of application system software and information.

Change control procedures

The implementation of changes should be controlled by the use of formal change control procedures.

Control includes:

  • A formal process of documentation, specification, testing, quality control and managed implementation
  • A risk assessment, analysis of actual and potential impacts of changes, and specification of any security controls required
  • A budgetary or other financial analysis to assess adequacy of resources formal agreement to and approval of changes by appropriate management
  • Appropriate notification of all affected parties prior to implementation, on the nature, timing and likely impacts of the changes
  • Scheduling of changes to minimize the adverse impact on business processes


Technical review of applications after operating system changes=== When operating systems and processes are changed, critical business processes should be reviewed and tested to ensure that there has been no adverse impact.

Restrictions on changes to software packages

Modifications to software packages should be discouraged, limited to necessary changes, and all changes shall be strictly controlled.

Information leakage

Opportunities for information leakage should be appropriately minimized or prevented.

Control includes:

  • Risk assessment of the probable and possible mechanisms for information leakage, and consideration of appropriate countermeasures
  • Regular monitoring of likely information leak mechanisms and sources
  • End-user awareness and training on preventive strategies (e.g., to remove meta-data in transferred files)


Outsourced software development

Outsourced software development should be appropriately supervised and monitored by the organization.

Technical vulnerability management

This category aims to reduce risks resulting from exploitation of published technical vulnerabilities.

Control of technical vulnerabilities

Timely information about technical vulnerabilities of information systems used by the organization should be obtained, evaluated in terms of organizational exposure and risk, and appropriate countermeasures taken.

Control includes:

  • A complete inventory of information assets sufficient to identify systems put at risk by a particular technical vulnerability
  • Procedures to allow timely response to identification of technical vulnerabilities that present a risk to any of the organization's information assets, including a timeline based on the level of risk
  • Defined roles and responsibilities for implementation of countermeasures and other mitigation procedures

References

ISO-27002:2005 12.1.1
HIPAA 164.312(c)(1)
ISO-27002:2005 12.2.1
ISO-27002:2005 12.2.2
ISO-27002:2005 12.2.3
ISO-27002:2005 12.2.4
ISO-27002:2005 12.3.1
HIPAA 164.312(a)(2)(iv)
HIPAA 164.312(e)(2)(ii)
PCI-DSS:2005 3.4
PCI-DSS:2005 4
ISO-27002:2005 12.3.2
PCI-DSS:2005 3.5
ISO-27002:2005 12.4.1
ISO-27002:2005 12.4.2
ISO-27002:2005 12.4.3
ISO-27002:2005 12.5.1
ISO-27002:2005 12.5.2
ISO-27002:2005 12.5.3
ISO-27002:2005 12.5.4
ISO-27002:2005 12.5.5
ISO-27002:2005 12.6.1

See also

  • ISO 17799/27002 - Code of Practice for Information Security Management
Retrieved from "http://horseproject.wiki/index.php?title=Information_Systems_Acquisition,_Development_and_Maintenance:&oldid=4328"